ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin - - PowerPoint PPT Presentation

ELCE 2013

• Secure Embedded Linux Product (A Success Story)

Marcin Bis

http://bis-linux.com marcin@bis-linux.com

Edinburgh - 2013.10.25

1 / 31

About me

• Marcin Bis
• Entrepreneur
• Embedded Linux: system

development, kernel development.

• Esp. Linux + Real-Time - automation

(industrial- and home-).

2 / 31

Agenda?

I want to tell you about a success story. . . . . . protecting added value in a product.

• A few quick words about security
• Embedded security.
• Attack vector and surface.
• What is similar with standard system security?
• Practical example - secured embedded Linux system.
• A problem (bussiness view).
• Active & passive security.
• Examples.

I will not talk about::

• Android
• Web apps, dedicated apps, cloud.

Embedded Linux Security 3 / 31

Attack surface

One or more input methods of the system.

• which can be accessed by untrusted user,
• or access to which can be influenced.

Embedded Linux Security Attack surface 4 / 31

Attack vector

. . . to exploit a surface. Common ones:

• network (TCP/IP

, Wi-Fi),

• application,
• serial port.

Less obvious:

• USB,
• I2C,
• solid state memory (FLASH),
• Bluetooth
• GPS, cellular network.

Less obvious == mode dangerous.

Embedded Linux Security Attack surface 5 / 31

Embedded vs. standard

Some differences:

• Some attack vectors are unique to embedded devices.
• Problematic updates (software monoculture).
• People do not threat them as devices.

On the other hand - same programs and services. (Wireless) network accessible. Apache, openssh, perl, avahi, dns, openssl etc.

Embedded Linux Security Attack surface 6 / 31

Some examples

• Stuxnet
• FTP access to / via root account.
• admin:default - common in network devices.
• More, easy to find: http://lwn.net/talks/elc2009/ (2009).
• Another example of hard-coded credentials:

Embedded Linux Security Attack surface 7 / 31

Make it secure (trivia)

Common methods are easy to avoid:

• Restricted shell access, eg. serial port
• strong password,
• use PAM to auto-logout idle shells.
• Other access methods to shell (web shell, ssh, telnet (!) etc.)
• Strong passwords (+1).
• Do not run all applications from root account.
• Bug-fix-ed components.
• Self developed vs. standard software.
• Defensive programming.

Embedded Linux Security Attack surface 8 / 31

Passive security

Passive security 9 / 31

How the customer see the product?

Passive security A problem? 10 / 31

How my customer see the product?

• Hardware becomes cheaper and cheaper.
• Expectations increases (let’s add functionality).
• Linux and open source is a foundation of the software product.
• Open-Source and Free Software gives us all freedom:
• Every developer has the same rights.
• And equal chances.
• Customer will make money on added value
• According to licences of course:
• GPL
• LGPL
• BSD

Passive security A problem? 11 / 31

Added value?

Passive security A problem? 12 / 31

How to secure a added value?

• possibility of "TiVo-lization", - do not go to far.
• GPLv3

Passive security A problem? 13 / 31

Let’s do it!

At first:

• Nothing will stop user (abuser) from de-soldering an element and trying to

analyze logic states.

• Most SoC-s has hundreds of pins - it is difficult (but not impossible).

It all depends on how determined you are ($$$). Security is a process not a product.

Passive security A problem? 14 / 31

Hardware methods

• BGP - it is harder to analyze data on bus,
• inner layers of PCB are harder to access,
• of using Application processor and external uC - add some logic to check timing

(like watchdog).

• TPM chips.

Passive security A problem? 15 / 31

VIA (Wikipedia)

Passive security A problem? 16 / 31

Hidden Via (3) (Wikipedia)

Passive security A problem? 17 / 31

a sandwich

(Wikipedia)

Passive security A problem? 18 / 31

The problem. . .

• It is not easy to debug firmware.

Passive security A problem? 19 / 31

Let’s secure data

• Sign it.
• TPM
• HAB
• or encrypt it
• Should be fast.
• Performance penalty (esp. Real-Time).
• Where to store the key.

Passive security A problem? 20 / 31

How to encrypt rootfs

Block devices (e.g. eMMC):

• dm-crypt
• man cryptsetup
• LUKS

Any filesystem

• ecryptfs
• sudo mount -t ecryptfs tmp1 tmp2
• problems using on rootfs (pivot_root, switch_root)
• still, can be used to encrypt parts of filesystem.

Cutomer wants to have a raw NAND device (wear leveling).

Passive security A problem? 21 / 31

NAND

How does it work?

Passive security A problem? 22 / 31

JFFS2, YAFFS2, LogFS

Passive security A problem? 23 / 31

UBI

Passive security A problem? 24 / 31

UBI is nice. . .

. . . for big NANDs:

• http://elinux.org/Flash_Filesystem_Benchmarks

How to add encryption?

• It can emulate block device.
• Use ecryptfs.
• look at the source code.

UBIFS arleady compresses data it writes. Maeby it could encrypt it too.

• Using Crypto-API.

Passive security A problem? 25 / 31

Passive security A problem? 26 / 31

On the other side:

Passive security A problem? 27 / 31

Use proper block cipher

• penssl enc -aes-128-ecb -k "secret" -in logo.ppm -out out.ppm

Passive security A problem? 28 / 31

Secured device

The problem of storing encryption key - still exists.

Passive security A problem? 29 / 31

Secured device. . .

The problem of storing encryption key - still exists.

• Put it as DT attribute.
• Modify NAND driver to use it.

Encrypt kernel+DT using functions of the Chip. i.MX28 SecureBoot

Passive security A problem? 30 / 31

Thank You!

What is important? Security is not a product. it is a process. What else? Internal attacks. I do not even trust myself.

Questions?

Passive security Thank You! 31 / 31